CVE-2026-39882

Опубликовано: 08 апр. 2026

Источник: nvd

CVSS3: 5.3

EPSS Низкий

Описание

OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection). This vulnerability is fixed in 1.43.0.

Ссылки

https://github.com/open-telemetry/opentelemetry-go/pull/8108
Patch
https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:opentelemetry:opentelemetry:*:*:*:*:*:go:*:*

Версия до 1.43.0 (исключая)

EPSS

Процентиль: 5%

0.0002

Низкий

5.3 Medium

CVSS3

Дефекты

CWE-789

Связанные уязвимости

CVE-2026-39882

CVSS3: 5.3

ubuntu

6 дней назад

CVE-2026-39882

msrc

4 дня назад

OpenTelemetry-Go OTLP HTTP exporters read unbounded HTTP response bodies

CVE-2026-39882

CVSS3: 5.3

debian

7 дней назад

OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1 ...

GHSA-w8rr-5gcm-pp58

CVSS3: 5.3

github

7 дней назад

opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies

EPSS

Процентиль: 5%

0.0002

Низкий

5.3 Medium

CVSS3

Дефекты

CWE-789